Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
PAM_KSU(8)		FreeBSD	System Manager's Manual		    PAM_KSU(8)

     pam_ksu --	Kerberos 5 SU PAM module

     [service-name] module-type	control-flag pam_ksu [options]

     The Kerberos 5 SU authentication service module for PAM, pam_ksu for only
     one PAM category: authentication.	In terms of the	module-type parameter,
     this is the "auth"	feature.  The module is	specifically designed to be
     used with the su(1) utility.

   Kerberos 5 SU Authentication	Module
     The Kerberos 5 SU authentication component	provides functions to verify
     the identity of a user (pam_sm_authenticate()), and determine whether or
     not the user is authorized	to obtain the privileges of the	target ac-
     count.  If	the target account is "root", then the Kerberos	5 principal
     used for authentication and authorization will be the "root" instance of
     the current user, e.g. "user/root@REAL.M".	 Otherwise, the	principal will
     simply be the current user's default principal, e.g. "user@REAL.M".

     The user is prompted for a	password if necessary.	Authorization is per-
     formed by comparing the Kerberos 5	principal with those listed in the
     .k5login file in the target account's home	directory (e.g.	/root/.k5login
     for root).

     The following options may be passed to the	authentication module:

     debug	     syslog(3) debugging information at	LOG_DEBUG level.

     use_first_pass  If	the authentication module is not the first in the
		     stack, and	a previous module obtained the user's pass-
		     word, that	password is used to authenticate the user.  If
		     this fails, the authentication module returns failure
		     without prompting the user	for a password.	 This option
		     has no effect if the authentication module	is the first
		     in	the stack, or if no previous modules obtained the
		     user's password.

     try_first_pass  This option is similar to the use_first_pass option, ex-
		     cept that if the previously obtained password fails, the
		     user is prompted for another password.

     su(1), syslog(3), pam.conf(5), pam(8)

FreeBSD	13.0			 May 15, 2002			  FreeBSD 13.0


Want to link to this manual page? Use this URL:

home | help